Perhaps we can achieve consensus on the following and move forward from there:
(1) The nature of systems producing, transporting, consuming, and operationalizing CTI represent a special class in terms of risks and impacts of compromise.
(2) Our Adversaries will agressively target these systems as the effectiveness of same impede their ability and/or increase efforts/costs to execute "Actions on ObjectIves".
(3) Attack Surface Reduction (ASR) should be a core tenet of the CTI TC Standards. A majority of the diverse sets of systems operationally participating in a global CTI Ecosystem require system hardening.
Therefore, CTI TC Standards should only require implementation of the specific functional elements (e.g., Ports, Protocols, Services, Application interfaces) required to deliver a conformant instantiation of that feature/function.
If we concur on these core tenets, then we need a mechanism to manage the resultant variability in conformant systems. One way is to establish "Profiles".
The OASIS KMIP TC provides a reference implementation of the practical application of "Profiles" to Confomance Clauses and Interoperability Testing . KMIP Profiles in turn link to associated KMIP Test Cases. Any Interested parties seeking representative
examples of the principles advocated here can start with the Key Management Interoperability Protocol [1] Profiles and [2] Test-Cases.
[1] [ KMIP-Profiles] Key Management Interoperability Protocol Profiles Version 1.2. Edited by Tim Hudson and Robert Lockhart. 19 May 2015. OASIS Standard.
Patrick Maroney
President
Integrated Networking Technologies, Inc.
Desk: (856)983-0001
Cell: (609)841-5104
Email:
pmaroney@specere.org
Maybe this is where we need to separate the STIX certification into different categories to enable that differentiation to be recorded?
Full STIX compliance: full STIX including full CybOX objects and patterning.
Partial STIX compliance: STIX implementation of more than the specialized STIX compliance but not a full implementation of all parts of STIX.
Specialized STIX compliance: STIX and CybOX only focused on a specific subset of the language, and designed for a single purpose.
For a full STIX implementation I would expect the platform to implement the CybOX patterning. For a specialized STIX implementation I would expect it to only be implemented if it was required in that instance.
And as for allowing extensions to the list of signatures/patterns, I agree that's a good idea.
Cheers
Terry MacDonald
Cosive